ComponentBuilder fails to recognize verifyHostName attribute in Ssl component (Log4j 2.25.3)

[b-k-patel]

Description

Using Log4j 2.25.3 to address CVE-2025-68161, I am unable to configure hostname verification programmatically using the ComponentBuilder API.
When attempting to add the verifyHostName attribute to a nested Ssl component (intended for a Syslog or Socket appender), the StatusLogger reports an error stating that the attribute is invalid.

Syslog Error Detected: Ssl contains an invalid element or attribute "verifyHostName"

Steps to Reproduce:

Use Log4j 2.25.3 (Core and API).
Create a programmatic configuration using ConfigurationBuilderFactory.newConfigurationBuilder().
Create an Ssl component and attempt to set the hostname verification attribute
In my case I am trying to use Syslog appender and add SSL component inside it

Configuration

ComponentBuilder sslComponent = builder.newComponent("Ssl")
.addAttribute("protocol", "TLS")
.addAttribute("verifyHostName", "true"); // Fails here

Add this component to a Syslog appender.
Initialize the configuration.
Observed Result:
The console output shows:
Syslog Error Detected: Ssl contains an invalid element or attribute "verifyHostName"
Internal Investigation:
I extracted the Log4j2Plugins.dat file from the official log4j-core-2.25.3.jar (downloaded from Maven Central). A string analysis of the binary metadata reveals:
Contains("Ssl") -> True
Contains("verifyHostName") -> False
This suggests the plugin metadata was not correctly updated in the 2.25.3 release to include the verifyHostName attribute for the Ssl component, preventing the ComponentBuilder from validating and applying it.
Expected Result:
The ComponentBuilder should recognize verifyHostName as a valid attribute for the Ssl component, allowing for secure TLS endpoint identification as specified in the 2.25.3 documentation.
Version: [Log4j version]

Operating system: [OS and version]
Windows 11

JDK: [JDK distribution and version]
Java 21

Logs

[Stacktraces, errors, etc. relevant applications logs.]

Reproduction

import org.apache.logging.log4j.core.config.builder.api.ComponentBuilder;
import org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilder;
import org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilderFactory;
import org.apache.logging.log4j.core.config.builder.impl.BuiltConfiguration;

/**

• Reproducer for Log4j2 2.25.3 ComponentBuilder Metadata Issue.

• Expected: verifyHostName is accepted as a valid attribute for Ssl component.

• Actual: StatusLogger reports "Ssl contains an invalid element or attribute 'verifyHostName'".
  */
  public class Log4jMetadataBug {
  public static void main(String[] args) {
  // Force status logger to show the error in console
  System.setProperty("log4j2.debug", "true");

   ConfigurationBuilder<BuiltConfiguration> builder = ConfigurationBuilderFactory.newConfigurationBuilder();
   builder.setStatusLevel(org.apache.logging.log4j.Level.DEBUG);
  
   // This component creation triggers the validation error
   ComponentBuilder<?> sslComponent = builder.newComponent("Ssl")
       .addAttribute("protocol", "TLS")
       .addAttribute("verifyHostName", "true"); // Attribute causing the crash
  
   System.out.println("Attempting to build configuration...");
   try {
       builder.build();
       System.out.println("Build successful (unexpected)");
   } catch (Exception e) {
       System.err.println("Build failed as expected: " + e.getMessage());
   }
  

  }
  }

[An isolated test reproducing the test.
JUnit tests similar to the ones in the code base are extremely appreciated.]